- Enable [semi-linear history merge requests](#semi-linear-history-merge-requests) as another security layer to guarantee the pipeline is passing in the target branch
- Enable [semi-linear history merge requests](#semi-linear-history-merge-requests) as another security layer to guarantee the pipeline is passing in the target branch
...
@@ -32,15 +32,15 @@ With GitLab merge requests, you can:
...
@@ -32,15 +32,15 @@ With GitLab merge requests, you can:
With **[GitLab Enterprise Edition][ee]**, you can also:
With **[GitLab Enterprise Edition][ee]**, you can also:
- View the deployment process across projects with [Multi-Project Pipeline Graphs](https://docs.gitlab.com/ee/ci/multi_project_pipeline_graphs.html#multi-project-pipeline-graphs)**[PREMIUM]**
- View the deployment process across projects with [Multi-Project Pipeline Graphs](../../../ci/multi_project_pipeline_graphs.md#multi-project-pipeline-graphs)**[PREMIUM]**
- Request [approvals](https://docs.gitlab.com/ee/user/project/merge_requests/merge_request_approvals.html) from your managers **[STARTER]**
- Request [approvals](merge_request_approvals.md) from your managers **[STARTER]**
-[Squash and merge](https://docs.gitlab.com/ee/user/project/merge_requests/squash_and_merge.html) for a cleaner commit history **[STARTER]**
-[Squash and merge](squash_and_merge.md) for a cleaner commit history **[STARTER]**
- Analyze the impact of your changes with [Code Quality reports](https://docs.gitlab.com/ee/user/project/merge_requests/code_quality_diff.html)**[STARTER]**
- Analyze the impact of your changes with [Code Quality reports](code_quality_diff.md)**[STARTER]**
- Analyze your source code for vulnerabilities with [Static Application Security Testing](#static-application-security-testing)**[ULTIMATE]**
- Analyze your dependencies for vulnerabilities with [Dependency Scanning](#dependency-scanning)**[ULTIMATE]**
- Manage the licenses of your dependencies with [License Management](#license-management)**[ULTIMATE]**
- Manage the licenses of your dependencies with [License Management](#license-management)**[ULTIMATE]**
- Analyze your Docker images for vulnerabilities with [Container Scanning](#container-scanning)**[ULTIMATE]**
- Analyze your source code for vulnerabilities with [Static Application Security Testing](sast.md)**[ULTIMATE]**
- Analyze your running web applications for vulnerabilities with [Dynamic Application Security Testing](#dynamic-application-security-testing)**[ULTIMATE]**
- Analyze your running web applications for vulnerabilities with [Dynamic Application Security Testing](dast.md)**[ULTIMATE]**
- Analyze your dependencies for vulnerabilities with [Dependency Scanning](dependency_scanning.md)**[ULTIMATE]**
- Analyze your Docker images for vulnerabilities with [Container Scanning](container_scanning.md)**[ULTIMATE]**
- Determine the performance impact of changes with [Browser Performance Testing](#browser-performance-testing)**[PREMIUM]**
- Determine the performance impact of changes with [Browser Performance Testing](#browser-performance-testing)**[PREMIUM]**
## Use cases
## Use cases
...
@@ -49,8 +49,8 @@ A. Consider you are a software developer working in a team:
...
@@ -49,8 +49,8 @@ A. Consider you are a software developer working in a team:
1. You checkout a new branch, and submit your changes through a merge request
1. You checkout a new branch, and submit your changes through a merge request
1. You gather feedback from your team
1. You gather feedback from your team
1. You work on the implementation optimizing code with [Code Quality reports](https://docs.gitlab.com/ee/user/project/merge_requests/code_quality_diff.html)**[STARTER]**
1. You work on the implementation optimizing code with [Code Quality reports](code_quality_diff.md)**[STARTER]**
1. You avoid using dependencies whose license is not compatible with your project with [License Management reports](https://docs.gitlab.com/ee/user/project/merge_requests/license-management.html)**[ULTIMATE]**
1. You avoid using dependencies whose license is not compatible with your project with [License Management reports](license_management.md)**[ULTIMATE]**
1. You build and test your changes with GitLab CI/CD
1. You build and test your changes with GitLab CI/CD
1. You request the [approval](#merge-request-approvals) from your manager
1. You request the [approval](#merge-request-approvals) from your manager
1. Your manager pushes a commit with his final review, [approves the merge request](#merge-request-approvals), and set it to [merge when pipeline succeeds](#merge-when-pipeline-succeeds)
1. Your manager pushes a commit with his final review, [approves the merge request](#merge-request-approvals), and set it to [merge when pipeline succeeds](#merge-when-pipeline-succeeds)
...
@@ -63,8 +63,8 @@ B. Consider you're a web developer writing a webpage for your company's website:
...
@@ -63,8 +63,8 @@ B. Consider you're a web developer writing a webpage for your company's website:
1. You gather feedback from your reviewers
1. You gather feedback from your reviewers
1. Your changes are previewed with [Review Apps](../../../ci/review_apps/index.md)
1. Your changes are previewed with [Review Apps](../../../ci/review_apps/index.md)
1. You request your web designers for their implementation
1. You request your web designers for their implementation
1. You request the [approval](https://docs.gitlab.com/ee/user/project/merge_requests/merge_request_approvals.html) from your manager **[STARTER]**
1. You request the [approval](merge_request_approvals.md) from your manager **[STARTER]**
1. Once approved, your merge request is [squashed and merged](https://docs.gitlab.com/ee/user/project/merge_requests/squash_and_merge.html), and [deployed to staging with GitLab Pages](https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/)(Squash and Merge is available in GitLab Starter)
1. Once approved, your merge request is [squashed and merged](squash_and_merge.md), and [deployed to staging with GitLab Pages](https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/)(Squash and Merge is available in GitLab Starter)
1. Your production team [cherry picks](#cherry-pick-changes) the merge commit into production
1. Your production team [cherry picks](#cherry-pick-changes) the merge commit into production
## Merge requests per project
## Merge requests per project
...
@@ -218,7 +218,7 @@ have been marked as a **Work In Progress**.
...
@@ -218,7 +218,7 @@ have been marked as a **Work In Progress**.
[Learn more about settings a merge request as "Work In Progress".](work_in_progress_merge_requests.md)
[Learn more about settings a merge request as "Work In Progress".](work_in_progress_merge_requests.md)
## Merge request approvals
## Merge request approvals **[STARTER]**
> Included in [GitLab Starter][products].
> Included in [GitLab Starter][products].
...
@@ -229,7 +229,7 @@ list of approvers that will need to approve every merge request in a project.
...
@@ -229,7 +229,7 @@ list of approvers that will need to approve every merge request in a project.
[Read more about merge request approvals.](merge_request_approvals.md)
[Read more about merge request approvals.](merge_request_approvals.md)
## Code Quality
## Code Quality **[STARTER]**
> Introduced in [GitLab Starter][products] 9.3.
> Introduced in [GitLab Starter][products] 9.3.
...
@@ -239,27 +239,15 @@ can show the Code Climate report right in the merge request widget area.
...
@@ -239,27 +239,15 @@ can show the Code Climate report right in the merge request widget area.
[Read more about Code Quality reports.](code_quality_diff.md)
[Read more about Code Quality reports.](code_quality_diff.md)
If you are using [GitLab CI/CD][ci], you can analyze your source code for known
vulnerabilities using Static Application Security Testing (SAST).
Going a step further, GitLab can show the vulnerability report right in the
merge request widget area.
[Read more about Static Application Security Testing reports.](sast.md)
## Dependency Scanning **[ULTIMATE]**
> Introduced in [GitLab Premium][products] 10.3.
> Introduced in [GitLab Ultimate][products] 10.7.
If your application offers a web interface and you are using [GitLab CI/CD][ci], you can quickly determine the performance impact of pending code changes. GitLab uses [Sitespeed.io][sitespeed], a free and open source tool for measuring the performance of web sites, to analyze the performance of specific pages.
If you are using [GitLab CI/CD][ci], you can analyze your dependencies for known
GitLab runs the [Sitespeed.io container][sitespeed-container] and displays the difference in overall performance scores between the source and target branches.
vulnerabilities using Dependency Scanning.
Going a step further, GitLab can show the vulnerability report right in the
merge request widget area.
[Read more about Dependency Scanning reports.](dependency_scanning.md)
[Read more about Browser Performance Testing.](browser_performance_testing.md)
## License Management **[ULTIMATE]**
## License Management **[ULTIMATE]**
...
@@ -272,38 +260,40 @@ merge request widget area.
...
@@ -272,38 +260,40 @@ merge request widget area.
[Read more about License Management reports.](license_management.md)
[Read more about License Management reports.](license_management.md)
## Container Scanning **[ULTIMATE]**
## Security reports **[ULTIMATE]**
> Introduced in [GitLab Ultimate][products] 10.4.
If you are using [GitLab CI/CD][ci], you can analyze your Docker images for known
GitLab can scan and report any vulnerabilities found in your project. The
vulnerabilities.
following security reports are available:
Going a step further, GitLab can show the vulnerability report right in the
merge request widget area.
[Read more about Container Scanning reports.](container_scanning.md)
-[Static Application Security Testing reports](sast.md) - Analyze your source
code for known vulnerabilities using Static Application Security Testing (SAST)
and see the security report right in your merge requests.
-[Dynamic Application Security Testing reports](dast.md) - Analyze your running
web application(s) for known vulnerabilities using Dynamic Application Security
Testing (DAST) and see the security report right in your merge requests.
-[Dependency Scanning reports](dependency_scanning.md) - Analyze your
dependencies for known vulnerabilities using Dependency Scanning and see the
security report right in your merge requests.
-[Container Scanning reports](container_scanning.md) - Analyze your Docker
images for known vulnerabilities and see the security report right in your
### Interacting with security reports **[ULTIMATE]**
> Introduced in [GitLab Ultimate][products] 10.4.
> Introduced in [GitLab Ultimate][products] 10.8.
If you are using [GitLab CI/CD][ci], you can analyze your running web
application(s) for known vulnerabilities using Dynamic Application Security
Testing (DAST).
Going a step further, GitLab can show the vulnerability report right in the
merge request widget area.
[Read more about Dynamic Application Security Testing reports.](dast.md)
## Browser Performance Testing **[PREMIUM]**
> Introduced in [GitLab Premium][products] 10.3.
If your application offers a web interface and you are using [GitLab CI/CD][ci], you can quickly determine the performance impact of pending code changes. GitLab uses [Sitespeed.io][sitespeed], a free and open source tool for measuring the performance of web sites, to analyze the performance of specific pages.
CAUTION: **Warning:**
This feature is currently experimental and while you can start using it,
it may receive important changes in the future.
GitLab runs the [Sitespeed.io container][sitespeed-container] and displays the difference in overall performance scores between the source and target branches.
Each security vulnerability in the report is actionable which means that you can:
[Read more about Browser Performance Testing.](browser_performance_testing.md)
-**Dismiss it** - Dismissing a vulnerability will place a ~~strikethrough~~
styling on it.
-**Revert your dismissal** - Reverting a dismissal will undo the
~~strikethrough~~ styling.
-**Create an issue out of it** - The new issue will have the title and
description pre-populated with the information of the vulnerability report.
